Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails

A China-linked espionage group exploited Google Workspace rules to exfiltrate sensitive data from North American medical, academic, and military research networks for over a year. The attackers gained initial access through a backdoor on REDCap research servers, which stole user login credentials. The exfiltration method involved reconfiguring the victims' own Google Workspace rules to copy outgoing messages, effectively using the victims' infrastructure to send stolen data to the attackers. This sophisticated technique allowed the group to remain undetected for an extended period while pilfering research and defense-related emails. The group, identified as APT41, has a history of targeting organizations in sectors such as healthcare, technology, and government. Their operations highlight the evolving tactics of state-sponsored cyber threats, emphasizing the need for robust cybersecurity measures and continuous monitoring of cloud environments. The specific details of the exploited Google Workspace rules and the extent of the data compromised were not fully disclosed, but the breach underscores the persistent threat posed by advanced persistent threats (APTs) to critical research and defense infrastructure.